How cloud security is being delivered

Well over 80 per cent of organisations already transfer or plan to transfer sensitive or confidential data into the cloud, according to research, although the perceived level of data security is uncertain for many of them. This HP whitepaper explores what the the cloud industry is doing to alleviate cloud security fears and what organisations can do for themselves to protect their valuable data.

For the above mentioned research, the Ponemon Institute, a data security research specialist, questioned 4,000 business and IT managers around the world about their attitudes to cloud data security.

Who's responsible for cloud security?

While the large majority of respondents said that their organisation was already transferring sensitive data into the cloud, Ponemon sought to find out who they thought was responsible for the data security. Was it themselves or the cloud provider?

It found that 64 per cent of organisations believed their cloud provider had primary responsibility for protecting that data. However, nearly two-thirds of respondents said they did not know what cloud providers were actually doing in order to protect the data entrusted to them. Perhaps unsurprisingly the survey, which was commissioned by technology and defence group Thales, found that 39 per cent believed cloud adoption had decreased their companies' security strength.

Server security and data encryption are key elements when it comes to cloud security. After all, if you can fully secure the servers the data is sitting on, and make sure any data being transferred between servers is protected, a large percentage of potential threats to data security are alleviated, whether private, public or hybrid clouds are being used.

Evaluating the risks

When reducing the risks of moving data or applications over to the cloud, firms cannot usually rely on a "one size fits all" scenario. Not all risk scenarios are the same. For instance, some critical applications might be too important to move to a cloud service provider, or extensive security controls might be deemed as "over the top" for relatively low value data being moved to cloud-based storage platforms.

With so many different cloud services to choose from, the security choices can be varied. Firms can choose cloud services such as software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), and then there are the types of cloud delivery environments to be chosen - public cloud versus private cloud deployments, internal versus external hosting, and various hybrid solutions.

When it comes to cloud security, firms should take the approach they should nearly always take when it comes to considering security, and that's a risk-based position to selecting the right security options for their individual cloud service. Once they've done that, they can then ask whether their cloud service provider is up to the job.

Are cloud service providers up to scratch?

The Cloud Security Alliance (CSA), a cloud industry group which is backed by most of the major cloud service providers - including the likes of HP, Google, Verizon and Microsoft - promotes a registry of cloud security controls adhered to by cloud providers. The CSA Security, Trust and Assurance Registry (STAR) is a free and publicly accessible registry that documents the security controls provided by various cloud computing offerings. Consumers of cloud services should require STAR reports as part of their procurement process, says the CSA.

CSA STAR is open to all cloud providers and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry allows potential cloud customers to review the security practices of providers, "accelerating their due diligence and leading to higher quality procurement experiences," says the CSA.

Google and Microsoft, for instance, use the registry to show what security systems they have in place to support their Google Apps and Office 365 cloud-based productivity apps.

Contracts and service level agreements

However, even if buyers of commercial cloud services can get more information from potential cloud service providers on security, they are still finding that contract provisions covering security are inadequate, according to Gartner. The industry analysts says that contracts often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident.

This leads to dissatisfaction among cloud service users. Gartner said that through to 2015, 80 per cent of corporate IT procurement professionals will remain dissatisfied with SaaS contract language, for instance, and protections that relate to security. "We continue to see frustration among cloud service users over the form and degree of transparency they are able to obtain from prospective and current service providers," said Gartner analyst Alexa Bona.

Minimum security terms

At a minimum, says Gartner, cloud service users need to ensure that contracts allow for an annual security audit and certification by a third party, with "an option to terminate the agreement in the event of a security breach if the provider fails on any material measure." In addition, according to the analyst firm, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools, such as those provided by the CSA.

"Whatever term is used to describe the specifics of the service level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations," said Bona. She says that cloud users should include recovery times and recovery point objectives and data integrity measures in the SLAs, and with "meaningful penalties if these are missed."

When considering a cloud deployment, organisations must first assess their network for cloud suitability, consider how to handle their unstructured data, and decide what data and applications they can reliably and securely put into the cloud. They must also complete a user impact assessment, consider how legacy systems can be integrated with cloud applications and systems, plan a cloud migration strategy, and educate users about safe cloud use.

This is why, when it comes to security, the cloud service providers themselves are often approached by customers for assistance, as many lack the internal skills to complete the necessary security assessments. There is no problem about seeking external cloud security help though, providing the cloud service contract covering security and data protection is closely looked at.